Abstract

Privacy policies, laws, and guidelines have been cultivated based on overly verbose specifications. This article claims that privacy regulations lend themselves to a firmer language based on a model of flow of personal identifiable information. The model specifies a limited number of situations and acts on personal identifiable information. As an application of the model, the model is applied to portions of the Privacy Rule of Health Insurance Portability and Accountability Act (HIPAA).